Android Settings Update Create NFC Vulnerability

A recent update to the Android OS has
created an exploit that users of near-field communications (NFC) technology
should deal with immediately. Google has already addressed the issue by
releasing a patch, but it needs to be downloaded and installed on phones. NFC
systems are the basis of contactless payments, and the exploit threatens to
allow malicious users to gain access to the handset to install unwanted
applications.

NFC is a core feature that Android has
enabled by default. The enabling of NFC isn’t a problem by itself, but a
secondary setting that is also enabled by default allows unsigned applications
to be installed on the handset. Previously, this was a systemwide setting,
which could be turned on or off so that apps that don’t originate from the Play
Store would have limited access to the handset. The new setting changes the
permission settings for installing unsigned applications to an app-by-app
basis, then sets each core Android app (such as Android Beam, the NFC
communicator) as trusted applications.

Introducing a Problem

The scenario for the installation of a
malicious app might not even be conspicuous. The user would just need to touch
a payment portal that has a prompt for the installation of the software on the
phone. The user might then be prompted to allow the app privileges with an
official notification that makes it seem as though the malicious app comes
directly from the play store. By the time the user has realized what they have
done, it’s too late, and the malware is already live.

Google’s patch for the problem came out in
October, and the update seeks to close the vulnerability by removing Android
Beam as a trusted source. Users should update their devices as soon as possible
to avoid falling prey to the vulnerability. Unlike many Android
vulnerabilities, this one is relatively straightforward to deal with even
without the patch. Users can access their settings for Android Beam and turn
off the trusted status themselves. Users that haven’t yet gotten the latest
patch can take the requisite precautions to ensure they don’t end up on the
wrong end of a malicious app install from an NFC source.